We are implementing password sync between AD and eDirectory. The
environment has multiple AD domain controllers. We have remote loader
installed on one of the DC and password sync DLL on other DCs. Password is
getting synchronized when it is changed in eDirectory as well as AD.
Our requirement is when admin in eDirectory or administrator in AD resets
password it should expire in both directories. When user changes his own
password, it will set expiration time to current time + 90 days. We have
policies intact in both publisher and subscriber channels for this.
In AD driver > Publisher Channel, we have policy which will check value of
AD attribute pwdlastset. If that is equal to 0 it will set password
expiration time to current date for the user ID in question in eDirectory.
When administrator in AD resets password he will check the box for "User
must change password at next logon" which will put 0 as value for
pwdlastset. Now in the AD driver schema mapping policy, we mapped this
attribute with eDirectory attribute "pwdChangedTime".
So everything is working fine such as when administrator in AD or admin in
eDirectory resets password, password is synchronized to other directory
and it is expired. When user change his password in any directory
expiration time is set to 90 days. This works fine if user or admin
changes the password on the DC which has remote loader installed.
When user or admin resets password on DC other than remote loader or with
password sync DLL it syncs password to eDirectory but password expiration
time is not synced. I will tell you a scenario as following:
Administrator in AD resets password in DC other than remote laoder, it
expires password in AD but do not expire it in eDirectory. At the same
time changed password is synced to eDirectory. Now after this if user
resets the password the password is expired in eDirectory (where as it
should set password expiration to 90 days). Now again if administrator
resets password, expiration time in eDirectory is set to 90 days whereas
it should expire the password.
So it seems modify password event is sent to eDir very fast which syncs
the changed password to eDir but password expiration time gets delayed. So
next time when again you reset password old value of expiration time from
previous transaction is synced to eDir.
I will really appreciate any help on this.
My email ID is email@example.com